Skip to content

Commit

Permalink
Make scope checking after authorization multi-scope aware.
Browse files Browse the repository at this point in the history
The list of authorized scopes doesn't have to be in the same order as
we send it. So better check the single scope names on their own.

Relates to IQSS#5991.
  • Loading branch information
poikilotherm committed Sep 23, 2019
1 parent 6472f97 commit a51497f
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ public String toString() {
protected String clientSecret;
protected String baseUserEndpoint;
protected String redirectUrl;
protected String scope;
protected List<String> scope;

public abstract DefaultApi20 getApiInstance();

Expand All @@ -108,7 +108,7 @@ public String toString() {
public OAuth20Service getService(String callbackUrl) {
return new ServiceBuilder(getClientId())
.apiSecret(getClientSecret())
.defaultScope(getScope())
.defaultScope(getSpacedScope())
.callback(callbackUrl)
.build(getApiInstance());
}
Expand All @@ -129,8 +129,8 @@ public OAuth2UserRecord getUserRecord(String code, @NotNull OAuth20Service servi

OAuth2AccessToken accessToken = service.getAccessToken(code);

if ( ! accessToken.getScope().contains(scope) ) {
// We did not get the permissions on the scope we need. Abort and inform the user.
if ( !getScope().stream().allMatch(accessToken.getScope()::contains) ) {
// We did not get the permissions on the scope(s) we need. Abort and inform the user.
throw new OAuth2Exception(200, BundleUtil.getStringFromBundle("auth.providers.orcid.insufficientScope"), "");
}

Expand Down Expand Up @@ -232,7 +232,9 @@ public String getSubTitle() {
return subTitle;
}

public String getScope() { return scope; }
public List<String> getScope() { return scope; }

public String getSpacedScope() { return String.join(" ", scope); }

@Override
public int hashCode() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ public String linkFor(String idpId, String redirectPage) {

return svc.createAuthorizationUrlBuilder()
.state(state)
.scope(idp.getScope())
.scope(idp.getSpacedScope())
.build();
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
import edu.harvard.iq.dataverse.authorization.providers.oauth2.AbstractOAuth2AuthenticationProvider;
import edu.harvard.iq.dataverse.util.BundleUtil;
import java.io.StringReader;
import java.util.Arrays;
import java.util.UUID;
import javax.json.Json;
import javax.json.JsonObject;
Expand All @@ -22,7 +23,7 @@ public GoogleOAuth2AP(String aClientId, String aClientSecret) {
title = BundleUtil.getStringFromBundle("auth.providers.title.google");
clientId = aClientId;
clientSecret = aClientSecret;
scope = "https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email";
scope = Arrays.asList("https://www.googleapis.com/auth/userinfo.profile", "https://www.googleapis.com/auth/userinfo.email");
baseUserEndpoint = "https://www.googleapis.com/oauth2/v2/userinfo";
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ public class OrcidOAuth2AP extends AbstractOAuth2AuthenticationProvider {
public static final String PROVIDER_ID_SANDBOX = "orcid-sandbox";

public OrcidOAuth2AP(String clientId, String clientSecret, String userEndpoint) {
scope = "/read-limited";
scope = Arrays.asList("/read-limited");
this.clientId = clientId;
this.clientSecret = clientSecret;
this.baseUserEndpoint = userEndpoint;
Expand Down

0 comments on commit a51497f

Please sign in to comment.